SecureW2’s SCEP service can facilitate the secure enrollment of Google Chromebooks, ensuring that only trusted devices can obtain digital certificates necessary for network access. By integrating SecureW2 Connector with your MDM, administrators can efficiently manage Chromebook enrollments and maintain rigorous security standards.

Traditional SCEP implementations typically require a pre-shared key for certificate issuance. With SecureW2, organizations can ensure that only authorized and managed devices receive certificates needed to access sensitive resources.

This guide describes the steps to integrate Google Admin Console with SecureW2’s Cloud Connector to allow Chromebooks to enroll for digital certificates via SCEP (Simple Certificate Enrollment Protocol).

Prerequisites

The following are prerequisites to set up SCEP-based enrollment:

• Chromebooks running Chrome OS that support SCEP.
• Subscription to Google Workspace or Chrome Enterprise.
• JoinNow active subscription along with SecureW2 Enterprise Enrollment and Attestation (EEA).

Setting up SCEP with SecureW2

To set up SCEP-based enrollment in SecureW2, the following high-level steps are required:

1. Creating an Intermediate CA
2. Creating a Certificate Template
3. Creating SCEP API Gateway
4. Creating an Identity Lookup Provider
5. Configuring Policies Management

Creating an Intermediate CA

It is recommended to have a new intermediate CA for enrolling devices using SCEP for streamlined management.

• Navigate to: JoinNow Management Portal -> PKI -> Certificate Authorities.
• Add Certificate Authority: Select Device and User Authentication from Generate CA For dropdown.
• Configuration: Choose Intermediate CA for Type. Select the default Root CA from your organization for Certificate Authority.
• Naming: Enter a Common Name; consider including “SCEP” for clarity.
• Save the configuration.

Creating a Certificate Template for Chromebook

A certificate template outlines how information is encoded in the certificate issued by the CA.

• Navigate to: PKI -> Certificate Authorities.
• Add Certificate Template: Name the template. Use predefined variables like CN=${/csr/subject/commonname} for dynamic source value extraction from Chromebooks.
• Details: Fill in Description, define Validity Period, and choose SHA-256 for Signature Algorithm.
• SAN Configuration: Specify fields using variables such as ${/csr/san/othername}, ${/csr/san/rfc822name}, etc.
• Usage: Select Client Authentication.
• Save the configuration.

Creating an SCEP API Gateway

Set up an API Gateway for Chromebook enrollment:

• Navigate to: Identity Management -> API Gateways.
• Add API Gateway: Name your API Token and provide a Description if necessary.
• Selection: Choose SCEP Client Certificate Enrollment Token as the Type and Google as the Vendor.
• Save the configuration: A configuration file is generated.

Creating an Identity Lookup Provider

To manage Chromebook information:

• Navigate to: Identity Management -> Identity Providers.
• Add Identity Provider: Enter Name and Description, and select Google Identity Lookup as the Type.
• Configuration: Fill in the Google Admin URL, Username, and Password.
• Validation: Click Validate to ensure connection.
• Attributes & Groups: Map required attributes and set up needed groups.
• Save and Update.

Policy Management in SecureW2

Define Lookup policies, user, and device roles which can be used to create enrollment policies.

Account Lookup Policy

Creates rules for accounting purposes.

• Navigate to: Policy Management -> Account Lookup Policies.
• Add Policy: Enter Name and Description.
• Configuration: Associate with the Google Identity Lookup provider and define parameters like Lookup Type.
• Save and Update.

Enrollment Policy

• Navigate to: Policy Management -> Enrollment Policies.
• Add Policy: Name and describe the policy.
• Associations: Link Device and User Roles and specify Conditions and Settings using the created CA and template.
• Save Configuration.

Configuring SCEP Certificate in Google Admin Console

Log in to the Google Admin Console to configure the SCEP profile for Chromebooks:

• Navigate to: Devices -> Chrome -> Network.
• Create Configuration Profile: Add a new profile for SCEP.
• SCEP Settings: Enter details like Directory URL, Client Identifier, Key Size (e.g., 384), and select an appropriate key type.
• Hardware Bound: Enable via toggle switch if required.
• Subject Configuration: Use values from the downloaded configuration file to fill the Subject field in the format /CN=value.

Configure additional settings as needed and click Save to complete enrollment setup.